Common Vulnerabilities and Exposures by NIST

CVE-2014-8349 3.5

2014-11-24 2014-11-24

Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file.

Vendor(s): Liferay

Affected OS(s) / software(s): 1

CVE-2012-6662 4.3

2014-11-24 2014-11-24

Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

Vendor(s): Jqueryui

Affected OS(s) / software(s): 1

CVE-2010-5312 4.3

2014-11-24 2014-11-24

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

Vendor(s): Jqueryui

Affected OS(s) / software(s): 1

CVE-2014-9030 7.1

2014-11-24 2014-11-24

The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE.

Vendor(s): Xen

Affected OS(s) / software(s): 32

CVE-2014-9016 5

2014-11-24 2014-11-24

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

Vendor(s): Drupal, Secure password hashes project

Affected OS(s) / software(s): 2

CVE-2014-9015 6.8

2014-11-24 2014-11-24

Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.

Vendor(s): Drupal

Affected OS(s) / software(s): 2

CVE-2014-8991 2.1

2014-11-24 2014-11-24

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.

Vendor(s): Python

Affected OS(s) / software(s): 11

CVE-2014-8988 4

2014-11-24 2014-11-24

MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.

Vendor(s): Mantisbt

Affected OS(s) / software(s): 1

CVE-2014-8986 3.5

2014-11-24 2014-11-24

Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987.

Vendor(s): Mantisbt

Affected OS(s) / software(s): 5